Web-based malware and clientside java tampering - interesting presentations

I watched a couple of presentations recently that I found very interesting, so I thought I would share them with you.


How to avoid getting a cap popped in your app

This is an excellent and very comprehensive presentation on drive-by downloads and modern web-based multi-layer malware. I highly recommend to watch this one if you are interested in web security.

The speaker is Dr. Neil Daswani at the 2010 AppSec conference.

Even if you are an experienced in the IT Security field, you can definitely learn something here. Great summaries and interesting concepts all the way through.



The presentation covers

• The complex layered architecture of web-based attacks
• Websites as distribution vehicles
• Risks from embedded third-party resources.
• Interesting implications for impact of the rich shared functionality used in websites of the modern internet.

I think there will be a significant rise in these types of web-based attacks over the next three years. The level of complexity and modularity in some of these attacks are extreme, and it will be increasingly difficult for defenders to analyze and mitigate these threats.


How to hack client-side Java applets

This is an interesting insight from an experienced penetration tester; both into meeting the challenging demands of customer requirements and the promises of the sales team, and also an interesting way of "disassembling" and debugging a Java applet, for parameter tampering attacks.



This is a reminder, that irrespective of how obscure, and "protected" a client-side application is, you cannot trust the data that comes from the client.

Everything on the client-side can be compromised, even data from a Java virtual machine submitted with a custom-built protocol.